Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Darktrace Model Breach

Back
Ida3c7b8ed-56a9-47b7-98e5-2555c16e17c9
RulenameDarktrace Model Breach
DescriptionThis rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.
SeverityMedium
Required data connectorsDarktraceRESTConnector
KindNRT
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
Version1.1.0
Arm templatea3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json
Deploy To Azure
darktrace_model_alerts_CL 
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                  DtCategory == "Critical", "High",
                                  "Informational") 
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DstHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
queryFrequency: 5m
name: Darktrace Model Breach
severity: Medium
kind: NRT
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics: 
triggerThreshold: 0
query: |
  darktrace_model_alerts_CL 
  | where dtProduct_s =="Policy Breach"
  | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
  | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
  | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                    DtCategory == "Critical", "High",
                                    "Informational")   
triggerOperator: gt
customDetails:
  NetworkRuleName: NetworkRuleName
  ThreatId: ThreatId
  EventSeverity: EventSeverity
  DtDescription: DtDescription
  DstMacAddr: DstMacAddr
  EventStartTime: EventStartTime
  DtCategory: DtCategory
  SrcMacAddr: SrcMacAddr
  DtCompliance: DtCompliance
  DtDeviceID: DtDeviceID
  SrcPortNumber: SrcPortNumber
  DstPortNumber: DstPortNumber
  NetworkRuleNumber: NetworkRuleNumber
  DtSentinelCategory: DtSentinelCategory
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
relevantTechniques: 
alertDetailsOverride:
  alertSeverityColumnName: 
  alertDescriptionFormat: '{{DtMessage}}'
  alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
  alertTacticsColumnName: 
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: DtBreachURL
  - alertProperty: ProviderName
    value: EventVendor
  - alertProperty: ProductName
    value: EventProduct
  - alertProperty: ProductComponentName
    value: ThreatCategory
  - alertProperty: Severity
    value: DtSentinelCategory
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
requiredDataConnectors:
- connectorId: DarktraceRESTConnector
  dataTypes:
  - darktrace_model_alerts_CL
version: 1.1.0
description: |
    'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{DtMessage}}",
          "alertDisplayNameFormat": "Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "DtBreachURL"
            },
            {
              "alertProperty": "ProviderName",
              "value": "EventVendor"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventProduct"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "ThreatCategory"
            },
            {
              "alertProperty": "Severity",
              "value": "DtSentinelCategory"
            }
          ],
          "alertSeverityColumnName": null,
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "a3c7b8ed-56a9-47b7-98e5-2555c16e17c9",
        "customDetails": {
          "DstMacAddr": "DstMacAddr",
          "DstPortNumber": "DstPortNumber",
          "DtCategory": "DtCategory",
          "DtCompliance": "DtCompliance",
          "DtDescription": "DtDescription",
          "DtDeviceID": "DtDeviceID",
          "DtSentinelCategory": "DtSentinelCategory",
          "EventSeverity": "EventSeverity",
          "EventStartTime": "EventStartTime",
          "NetworkRuleName": "NetworkRuleName",
          "NetworkRuleNumber": "NetworkRuleNumber",
          "SrcMacAddr": "SrcMacAddr",
          "SrcPortNumber": "SrcPortNumber",
          "ThreatId": "ThreatId"
        },
        "description": "'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'\n",
        "displayName": "Darktrace Model Breach",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DstHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml",
        "query": "darktrace_model_alerts_CL \n| where dtProduct_s ==\"Policy Breach\"\n| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category\n| extend EventCount=1, EventType=\"NetworkSession\", EventSchema=\"NetworkSession\", EventSchemaVersion=\"0.2.2\", EventResult=\"Success\", DvcAction = \"Allow\", EventVendor = \"Darktrace\", EventProduct = \"Darktrace DETECT\", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity\n| extend DtSentinelCategory = case(DtCategory == \"Suspicious\", \"Medium\", \n                                  DtCategory == \"Critical\", \"High\",\n                                  \"Informational\") \n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}